What Is Ransomware?
Ransomware is a type of malware that freezes a system or data, preventing users from accessing them. The idea behind the attack is to hold the systems or assets for ransom — promising to only decrypt them once a certain amount has been paid.
Ransomware has been increasing exponentially over the years, with 700 million estimated attacks reported in 2021 and 70% seeing ransomware as the biggest threat to their environment.
The first ransomware attack was recorded in 1989 with a floppy disk attack. Since then, the number of attacks has grown astronomically. The rise of cryptocurrencies, like Bitcoin, has accelerated the number of attacks even further, this is because Bitcoin is easy to pay and is often untraceable.
How Does a Ransomware Attack Occur?
Ransomware is often spread through external exposure and user action. Most attacks have vulnerability exploits as their root point-of-compromise, however user action, such as falling for social engineering tactics, is still a common cause of ransomware.
Once a bad actor has access to a system, network, or access point, they utilise malware to take over the system and then hold it for ransom. Ransomware-as-a-service has become more popular in recent years, where developers sell the necessary tools for hackers to launch an attack.
Example of a Ransomware Attack
In the spring of 2022, the Costa Rican government suffered a ransomware attack after known ransomware gang Conti gained access to multiple government systems. The attack first targeted the financial sector — affecting government and private financial services — before spreading to the country’s healthcare network, all while asking for a $20 million payment.
This attack highlighted how both a digital attack can have ramifications in the real world, and why organisations are often ready to pay the ransom quickly. The damage, in this case, was extensive, leading the government to declare a state of emergency.
Ransomware vs. Exfiltration
In a cyber attack, the hackers, once they have access, can steal valuable data either for their own use or to release it. While this kind of attack can happen on its own, hackers will often exfiltrate data in ransomware attacks, so if the organisation is reluctant to pay the ransom, they can still release or steal the data.
Ransomware vs. Ransomware-as-a-Service
While ransomware is the specific malware and attack, Ransomware-as-a-service is the network that (sometimes) can surround it. It’s a system where a bad actor purchases, or subscribes to, complete ransomware tools from a developer on the dark web. Those tools are then used to launch a ransomware attack.
Some RaaS groups offer their attacks services as a one-time purchase, while others offer them as a subscription plan. Some combine subscriptions with cuts of the ransom fee. Ransomware-as-a-service is increasing over the years, and now 2 out of every 3 ransomware attacks are connected to it.
What are Ransomware-as-a-Service Gangs?
Ransomware-as-a-service gangs are organised crime syndicates that carry out ransomware attacks, splitting the profits between them. Many high-profile ransomware attacks have been linked to these gangs. They often operate, or lead, RaaS initiatives as well.
Types of Ransomware
Ransomware attacks can take a few forms, and through the increase in attacks (and proliferation of ransomware gangs) a few common styles of attack have been identified.
1. Crypto Ransomware
This is the most common kind of ransomware attack, where the data or system is encrypted by bad actors. It can only be released with a decryption key that they have.
A “locker” attack is when users are completely locked out of a software or system. This attack is less about individual data and more about preventing any kind of access. Often, in this kind of attack, a lock screen will appear with details about the ransom demand.
Scareware relies on fake software to trick users into initiating the attack. The fake software will say that there has been malware or a virus detected on the system and a ransom must be paid to fix the issue. This kind of ransomware is often used against individuals and personal devices.
Leakware, also called doxware, threatens to leak sensitive or valuable data if the ransom is not paid. This threat is often effective, as organisations do not want this data to fall into the wrong hands.
How Does A Ransomware Attack Work?
A successful ransomware attack follows a few key steps:
1. The target is chosen, and malware is sent to them through a phishing attack. While there are other ways a bad threat actor can inject malware (including through the purchase of stolen credentials), social engineering is by far the most used attack vector.
2. The malware starts working, encrypting the system, access point, or data, thereby holding it for ransom.
3. Threat actors can also exfiltrate the data ahead of asking for ransom. This happens if the attacker is unsure if the organisation will pay the ransom, or if they want the assets no matter what.
4. Ransom is paid and the data is unencrypted. Bitcoin is the most common currency for ransom payment.
Double and Triple Extortion in Ransomware Attacks
A standard ransomware attack relies on extortion. An attacker extorting the organisation for money in order to gain back access to their data. However, there are also cases of double and triple extortion.
Double extortion is where the attacker exfiltrates the data before the ransom is paid, and then threatens to release it.
Triple extortion is where the attacker prolongs the attack for multiple payouts. In addition to exfiltrating the organisation’s data and threatening to release it, an attacker will, in a triple extortion scenario, contact individuals who would be affected by the data release, and extort them for payout as well.
Why Ransomware Is Effective
Ransomware is effective because it’s easier, and often cheaper, for organisations to pay the ransom than to deal with the fallout from the attack. In addition to data that may be leaked, there’s operational downtime, which costs money every minute, and then there’s the expense of clean-up, remediation, and potential compliance investigations and fines.
Hackers often target critical infrastructure, healthcare, and governments for ransomware because those organisations can’t afford the downtime.
Ransomware Is Increasing
For the reasons above, ransomware attacks are increasing across industries. As mentioned above, the attacks in 2021 topped 700 million, with a year-over-year increase of 13%.
In addition, the average ransom payment was went up 82% from 2020 to 2021. Hackers have seen how ransomware leads to an easy payday, from both individual users and large organisations, so this upwards trend will probably continue in the coming years.
Ransomware and State-Sponsored Actors
In addition to ransomware gangs, ransomware can be deployed by nation-state actors or state-sponsored actors as a kind of cyber warfare. The SolarWinds attack in 2020 was connected to Russia, and the recent conflict in Ukraine has seen cyber attacks on both Ukraine and Russia conducted by nation-state actors. In 2022, North Korea utilised ransomware to attack US healthcare organisations and infrastructure.
Many ransomware gangs operate out of countries, like Russia, where the government does not prosecute them. This makes defeating ransomware on a large scale nearly impossible.
How to Protect Against a Ransomware Attack
1. Invest in security awareness training. Since most ransomware attacks start as social engineering attacks, employees and users need to be alert and vigilant, as they are the intended targets. Security awareness training can help those users learn more about social engineering, how to spot threats, and what to do in order to keep data secure. Learn more about Arctic Wolf’s Managed Security Awareness here.
2. Implement strong access controls. Ransomware spreads through lateral movement and a lack of secured access points. If the worst occurs and ransomware enters a system, strong access controls stop it in its tracks.
3. Follow the National Institute of Technology and Standards (NIST) core principles. These guidelines can help any organisation understand the risk points that exist within their security environment, and how to mitigate those risks.
4. Consider a security operations partner. For many industries targeted by ransomware — especially healthcare and local municipalities — monitoring and mitigating risks 24×7 just isn’t a realistic option. A security operations partner can provide continuous monitoring and risk and detection, helping organisations end their cyber risk. Learn more about Arctic Wolf’s Arctic Wolf’s Security Operations Cloud and Concierge Security® Team here.
Should You Pay the Ransom if You’re Attacked?
No. There is no guarantee that paying the ransom will actually stop the attack. Paying the ransom shows the attackers that your organisation is willing to pay and could lead to future attacks. Instead, organisations should work with their incident response teams and let the experts handle the remediation and restoration. The FBI does not recommend paying the ransom: “The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organisation will get any data back.”
We recommend immediately getting in contact with your incident response vendor and cyber insurance provider.
How Arctic Wolf Can Help with Ransomware
Managed Security Awareness can help users and employees understand the risks of phishing attacks and thwart these threats before they become breaches. 64% list phishing as their primary vector of concern, and 48% of organisations identify a need to learn more about phishing mitigation. That mitigation can be achieved through engaging micro learning sessions and relevant content.
Arctic Wolf® Managed Detection and Response (MDR) solution offers 24×7 monitoring of networks, endpoints, and cloud environments. If there is a ransomware deployment, MDR will help your organisation identify and remediate it quickly and effectively.
Arctic Wolf® Incident Response is a trusted leader in incident response (IR) leveraging an elastic framework that enables rapid remediation to any cyber emergency at scale. With a breadth of IR capabilities, technical depth of incident investigators, and exceptional service provided throughout IR engagements, Arctic Wolf Incident Response helps organisations recover from cyber incidents, like ransomware attacks, fast.